HIPAA Security Rule §164.312 + §164.504(e) + §164.502(b) + §164.316
The HIPAA Security Rule (45 CFR § 164) governs the protection of electronic Protected Health Information (ePHI). This mapping covers the technical safeguards (§ 164.312), Business Associate contracts (§ 164.504(e)), the minimum necessary standard (§ 164.502(b)), and the six-year documentation retention requirement (§ 164.316). Ledgix evidences each with the cryptographic ledger plus Phase 7 BAA/minimum-necessary artifacts and Phase 6 retention attestations.
Status: Full — every control resolves to an artifact Ledgix produces today following the Phase 6 retention and Phase 7 HIPAA module shipping.
Scope
HIPAA applies to covered entities (health plans, healthcare providers, healthcare clearinghouses) and their business associates. Coverage in this mapping spans the technical safeguards (access controls, audit controls, integrity, authentication, transmission security), the minimum-necessary standard on use/disclosure of PHI, the Business Associate contract requirements, and the six-year documentation retention obligation.
Controls covered
| Field | Type | Required | Description |
|---|---|---|---|
| HIPAA-164.312(a)(1)-AC | events_jsonl | Access Control — Unique User Identification | Each action carries agent_id, human_principal (when delegated), and receipt_key_id. |
| HIPAA-164.312(a)(2)(iii)-AUTO | events_jsonl | Automatic Logoff / Session Management | accepted_at and agent_id support session reconstruction. |
| HIPAA-164.312(b)-AUDIT | events_jsonl / checkpoint_chain | Audit Controls | Complete audit record of AI-mediated actions plus Merkle-chained integrity. |
| HIPAA-164.312(c)(1)-INTEG | checkpoint_chain / key_history / signatures / proof_index | Integrity — Protection from Improper Alteration or Destruction | Append-only chain, signing-key custody, export signature, per-event inclusion proofs. |
| HIPAA-164.312(d)-PERSON | events_jsonl | Person or Entity Authentication | Cryptographic attribution binds each action to the authenticated actor. |
| HIPAA-164.312(e)(1)-TRANS | signatures / key_history | Transmission Security | Signed manifests and key custody records support transmission-integrity claims. |
| HIPAA-164.502(b)-MINIMUM-NECESSARY | policy_snapshots / minimum_necessary_attestations | Minimum Necessary Standard | Signed minimum-necessary attestations binding agent + purpose to permitted PHI categories and recipients. |
| HIPAA-164.504(e)-BAA | baa_registry | Business Associate Contracts | Signed BAA registry with party, scope, signed_doc_sha256, effective window, and expiry. |
| HIPAA-164.316-RET | policy_snapshots / key_history / retention_attestations / retention_policies | Documentation Retention (6-year WORM) | Policy snapshots, key custody, and signed Object Lock attestations covering the six-year horizon. |
Evidence types referenced
- events_jsonl — complete audit record with agent, human, and cryptographic attribution.
- checkpoint_chain — append-only Merkle chain demonstrating integrity.
- key_history — signing-key custody history.
- signatures — export integrity signature.
- proof_index — per-event Merkle inclusion proofs.
- policy_snapshots — tenant policies articulating minimum-necessary rules.
- minimum_necessary_attestations — signed per-agent/purpose attestations.
- baa_registry — signed BAAs in force during the window.
- retention_attestations — signed S3 Object Lock attestations covering the window.
- retention_policies — approved retention policies in force.
Known gaps (if any)
None — every control resolves to an artifact Ledgix produces today. Tenants handling ePHI are responsible for tagging PHI on their events and for uploading executed BAAs; the admin console's HIPAA panel provides an intake UI for both.
Audit pack workflow
Export an evidence ZIP for this framework from the admin console's Evidence Exports panel by selecting HIPAA Security Rule §164.312 + §164.504(e) + §164.502(b) + §164.316 and a time window. Each control's evidence_locators[] in the included framework_mapping.json points to the corresponding file in the ZIP.
References
- Framework mapping JSON:
vault/internal/compliance/frameworks/hipaa_partial.json - Canonical source: 45 CFR Part 164 — HIPAA Security Rule — ecfr.gov